Protecting client privacy during browsing

ABSTRACT

Methods and systems provide for receiving an assessment of a full uniform resource locator (URL) in a browser session in advance of the browser accessing the URL, maintaining client privacy in the process using a proxy between the client device and an assessment component on a server. The proxy receives the client identity and a URL. After substituting an arbitrary query identifier for the client identity in the assessment request, the proxy forwards the anonymized assessment request to the assessment component. In return the proxy receives classification data regarding the URL associated with the arbitrary query identifier, which the proxy associates with the client identity and subsequently forwards the classification data to the client.

CROSS REFERENCE TO RELATED CASES

This application is a continuation of U.S. patent application Ser. No.16/894,537, entitled “SECURITY DURING DOMAIN NAME RESOLUTION ANDBROWSING,” filed Jun. 5, 2020, which claims priority to U.S. ProvisionalPatent Application No. 62/878,283, entitled “MOBILE SECURITY,” filedJul. 24, 2019, each of which is incorporated by reference in itsentirety.

TECHNICAL FIELD

The claimed subject matter relates generally to the field of networksecurity and more specifically to enhancing network security whilemaintaining aspects of client and destination anonymity.

BRIEF DESCRIPTION OF THE DRAWINGS

The embodiments are illustrated by way of example and not limitation inthe figures of the accompanying drawings, in which like referencesindicate similar elements, and in which:

FIG. 1 is a flow chart of a method for resolving a domain name accordingto an embodiment;

FIG. 2 is an exemplary block diagram of a system and method forresolving a domain name according to an embodiment;

FIG. 3 is an exemplary block diagram of a system and method forresolving a domain name according to an embodiment;

FIG. 4 is an exemplary block diagram of a system and method forresolving a domain name according to an embodiment;

FIG. 5 is a flow chart of a method for preserving privacy whileresolving a domain name according to an embodiment;

FIG. 6 is an exemplary block diagram of a system and method forpreserving privacy while resolving a domain name according to anembodiment;

FIG. 7 is a flow chart of a method for assessing a uniform resourcelocator (URL) according to an embodiment;

FIG. 8 is an exemplary block diagram of a system and method forassessing a uniform resource locator (URL) according to an embodiment;

FIG. 9 is an exemplary block diagram of a system and method forassessing a uniform resource locator (URL) according to an embodiment;

FIG. 10 is a flow chart of a method for preventing password re-useaccording to an embodiment;

FIG. 11 is an exemplary block diagram depicting an embodiment of asystem for implementing embodiments of methods of the disclosure; and

FIG. 12 is an exemplary block diagram depicting a computing device.

DETAILED DESCRIPTION

Typically a query for Domain Name System (DNS) resolution does not havea mechanism for authenticating the client that sent the DNS query. Whilea recursive DNS server or an authoritative DNS server might havesecurity associated with it that allows the server to identify andverify the server that forwarded the DNS query, a DNS server generallylacks the ability to identify and verify the client or group of clientsfrom which the query originated.

The inability to verify the client or group of client hinders the use ofservices that might protect the client from, e.g., phishing or maliciouscontent. For example, a protective service might inspect the domain thatis the subject of a DNS query from a client where the domain is theintended destination of, e.g., an application, a browser, or otherwisethe user. The protective service might have resources, e.g., a database,that allow the protective service to compare the domain against itsresources and determine whether the domain has a good or bad reputation,is a known phishing site, or is otherwise a destination that should beavoided. However, it might be preferred that the protective service isonly available to clients that have subscribed to the service, or toclients that are part of a subscribed group, such as an enterprise'sfleet of mobile communications devices. The protective service might bea service that is internal to an enterprise, or might be provided by athird party.

Thus, it would be desirable for the protective service to have a methodfor identifying and authenticating the client that initiated the DNSquery where the method does not increase the number of related queriesfrom the client or increase the number of related responses sent to theclient.

In a related issue, a client may wish to resolve a domain name withoutthe resolving DNS server being able to associate the domain name withthe client. That is, a client may want to preserve privacy whilebrowsing. In this regard, services are available that purport to createa private DNS resolver for a client. For example, a private DNS resolvermay purport to maintain client privacy and not sell client data toadvertisers. Such a private DNS resolver may be provided at a Wi-Fihotspot. The private DNS resolver may encrypt a received DNS querybefore forwarding that query on to the public DNS resolver.

Such a private DNS resolver requires a transfer of trust. While theclient may be protected from having its packets intercepted, the clienthas to trust the private DNS resolver, itself, to keep its browsinghistory private. Additionally, the client has to trust that the privateDNS resolver is secure and not susceptible to a hack that would exposethe client's browsing history.

Thus, it would be desirable for a client to be able to initiate a DNSquery and receive a resolution without any server involved in theresolution having an association of that client with that client'sbrowsing history. In other words, the client may wish a greaterassurance of privacy than that available from the private DNS resolver,a degree of privacy such that there is no possible association made frombetween the client (user, client device, or IP address) and the domain.

In a related issue, the client may wish to employ a service thatprovides browsing protection while also preserving privacy. That is,during a browsing session, it would be desirable for the client to beable to employ a protective service to assess the destination domainwithout the protective service knowing the client identity. The abilityof an application on a client device to assess a URL in real-time, i.e.,to dynamically assess the URL, is limited. While a browser may compare aURL against a whitelist or blacklist, e.g., using a content filterextension point, there are limited ways to assess the URL if it is noton either list. For example, often, for privacy reasons, the browser istypically not able to communicate in real time to a server to get anassessment of a URL.

Furthermore, the entire URL—the domain plus the rest of the full path—isoften important in making an assessment. However, non-browserapplications normally do not have access to the entire URL because thefull path is sent over an encrypted connection.

Thus, while browsing it would be desirable to be able to send a URL to aprotective service that dynamically assesses the domain using the entireURL (i.e., the domain plus the full path) and returns the assessment tothe client without the protective service knowing the identity of theclient.

Regarding an additional privacy issue, the re-use of passwordcredentials may result in the loss of password credentials for one useraccount leading to the breach of additional user accounts. For example,password credentials obtained during one breach provide an obvious firstplace for a hacker to start when attempting to breach a second website.Password re-use is a well-known bad practice, yet it persists because itis convenient for users.

Such re-use concerns enterprises because if a non-enterprise site isbreached, an association may be made between a user name, or emailaddress, and password credentials obtained in the breach. If thepassword credentials have also been used for an enterprise service,e.g., a single sign-on, an enterprise access, or a third-party SaaS(Software as a Service) used by the enterprise, the re-used password maybe used to attach the enterprise.

Thus, it would be desirable to be able to detect and prevent passwordre-use.

In the description that follows, the subject matter will be describedwith reference to acts and symbolic representations of operations thatare performed by one or more devices, unless indicated otherwise. Assuch, it will be understood that such acts and operations, which are attimes referred to as being computer-executed, include the manipulationby the processing unit of data in a structured form. This manipulationtransforms the data or maintains it at locations in the memory system ofthe device, which reconfigures or otherwise alters the operation of thedevice in a manner well understood by those skilled in the art. The datastructures where data is maintained are physical locations of the memorythat have particular properties defined by the format of the data.However, while the subject matter is being described in the foregoingcontext, it is not meant to be limiting as those of skill in the artwill appreciate that various acts and operations described hereinaftermay also be implemented in hardware.

In an embodiment, a method provides for identifying and authenticating aclient that initiated a DNS query and provides information related tothe domain (e.g., an assessment). The embodiment uses a single DNS querythat includes authentication information and returns a single DNSresponse that includes both a resolved IP address and informationrelated to the resolved IP address. For example, a user, by way of anapplication on a client, might attempt to access www.example.com.

FIG. 1 is a flow chart of a method 100 for resolving a domain nameaccording to an embodiment. In FIG. 1 , in step 102, a server receives aquery initiated by a client device for a domain name system (DNS)resolution of a domain name. In step 104, the first server determinesthat it is authorized to process the query, or the first serverdetermines that the sender of the query is authorized to access thefirst server. In step 106, the server begins to process the query. Instep 108, the processing of the query includes the server obtaining aresolved internet protocol (IP) address for the domain name, e.g., byresolving the query itself or sending the query on for resolution. Theprocessing also optionally includes the server evaluating any availableclassification data against a policy associated with the client device.For example, the server may search available databases forclassification data. However, the server may request that a third-partyservice provide any available classification data, or may provide thepolicy to a third-party service and request the third-party serviceperform the evaluation. The server, may also simply provide anyavailable classification data to the client without evaluation. And theserver may also provide only an IP address. In step 110, when anevaluation results in a determination that the client device is notallowed to access the IP address, the server provides a DNS responsethat either substitutes a blocking IP address for the resolved IPaddress or includes a DNS RCODE (Response Code) which indicates that therequestor will not receive an IP address, such as the NXDOMAIN ResponseCode, which indicates that the domain name does not exist. Respondingwith NXDOMAIN for a domain that does exist but which the client deviceis not allowed to access will prevent the client device from being ableto access the domain. In step 112, when an evaluation results in adetermination that the client device is allowed to access the IPaddress, or is indeterminant, or is not performed, the server provides aDNS response that includes the resolved IP address and the availableclassification data. In an embodiment, there may also be a collection ofuser preferences regarding whether different classifications should beblocked. These user preferences may additionally be used in aconservative manner to support additional blocking but not to reverse ablocking decision from an enterprise policy. E.g., the enterprise policymay not include a policy to block offensive content (or any otherparticular one or more classifications), but the user has expressed apreference to block that classification. In that instance, the userpreference will result in offensive content being blocked at the clientdevice. But the user preference cannot be used to reverse a decisionfrom enterprise policy that indicated the URL or domain should beblocked; the enterprise policy blocking decision has priority.

FIG. 2 is an exemplary block diagram of an embodiment of a system 200for resolving a domain name. In FIG. 2 , a client 206 may create a DNSquery 209 for a domain name 211 (e.g., www.example.com) and transmit 262a DNS query message 208 to an authentication server 210. When creatingthe DNS query message 208, client 206 may include authentication data212 in query message 208. On receiving DNS query message 208, server 210may use authentication data 212 to authenticate client 206 and mayresolve DNS query 209, creating a query response 221 with a normal DNSresolution 216. Optionally, server 210 may transmit 264 query 209 to aserver 214 to be resolved and receive 266 normal resolution 216 fromserver 214. After providing or receiving the resolved IP address 216(the normal DNS resolution), server 210 may retrieve information orclassification data 218 related to the IP address 216 from aclassification database 220 on server 210. Optionally, server 210 mayretrieve 268 information or classification data 252 from aclassification database 250 on a classification server 248. Theretrieved information 218, 252 may be compared at server 210 to anenterprise policy 222 associated with the client in a policy database224 to determine whether client 206 should be allowed to access IPaddress 216. The retrieved information 218, 252 may be included asresponse data in a text response 226 that is itself part of a DNSresponse message 230. In an embodiment, instead of using a text response226 the retrieved information 218, 252 may be included in a differenttype of resource record than text (TXT), or in an EDNS(0) extension.Thus, the text response 226 also represents the different type ofresource record or EDNS(0) extension payload. When the comparison ofretrieved information 218 or 252 to enterprise policy 222 indicates thatIP address 216 should be blocked, DNS response message 230 may, in queryresponse 221, include a resolution of IP address 211 as a different,“blocking” address 217 that prevents accessing the resolved IP address216, or includes a DNS RCODE (Response Code) which indicates that therequester will not receive an IP address, such as the NXDOMAIN ResponseCode, which indicates that the domain name does not exist. However, ifthe comparison at server 210 of the retrieved information to the policyis agnostic regarding whether to block IP address 216, the retrievedinformation 218 or 252 may be included as response data in text response226 within DNS response message 230, or may be included in a differenttype of resource record than text (TXT), or in an EDNS(0) extension.Following transmission 270 of DNS response message 230 to client 206,the retrieved information may be compared against an enterprise policy232 in a client enterprise policy database 234 to determine whether toallow client 206 to access resolve IP address 216.

FIG. 3 is an exemplary block diagram of an embodiment of a system 300for resolving a domain name. In an embodiment, client 206 may be anenterprise client and server 210 may be an enterprise server. In theembodiment, a security component 304 may combine authentication data212, which may also include payload data 340 and a key ID 342, withoriginal query 209 using DNS extensions 336 to associate authenticationdata 212, payload data 340, and key ID 342 with DNS query 209. Since DNSprotocol does not provide an authentication mechanism, securitycomponent 304 is an example of software required at both ends of theconversation to understand how such information is being encapsulatedinto the DNS message flows. The key ID can be used to determine whetherthe DNS request can be resolved by a specific DNS server or to aspecific set addresses (e.g., addresses only available to a specificenterprise). In at least one embodiment, the key can be used not onlyfor authentication but also to identify the policies or enterprise withwhich the request is associated. For example, if enterprise group A isassociated with key Z, and enterprise group B is associated with key Xthen a request associated with key Z can be identified as beingassociated with enterprise group A.

Extension mechanisms for DNS (EDNS(0)) are provided for in the InternetEngineering Task Force (IETF) Request for Comment (RFC) 6891. UsingEDNS(0), the embodiment associates authentication data 212, payload data340, and key ID 342, with DNS query 209 in DNS query message 208 usingEDNS(0) options 336. EDNS(0) can be used to permit larger responsecapabilities.

With DNS query message 208 remaining within the enterprise's system,there is no third-party code and, as a result, no requirement toregister which extension code is used by the method—because theenterprise is both the sender and the only receiver of the query. Inaddition, a security component 335 on server 210 may block any query 208that does not include the correct option set. In the embodiment,experimental extension codes in EDNS(0) may be chosen so that if DNSquery message 208 were to go to an unintended, non-enterprise server thequery would be ignored. In addition, in the embodiment, DNS querymessage 208 may be sent using a communication protocol (for example,Transmission Control Protocol (TCP), User Datagram Protocol (UDP),etc.).

In an embodiment, DNS query message 208 may not remain within theenterprise's system, as a result the embodiment includes registering theextension code(s) used by the method.

An exemplary authentication protocol is the Hardware MachineAuthentication Code (HMAC). In the embodiment, HMAC may be used toauthenticate client 206 sending DNS query message 208 containing a querytype 338 (e.g., Type A. although any other RR Type such as AAAA could beused) and domain name 211 (e.g., www.example.com). According to the HMACprotocol, payload data 340 is generated by a client security component304. Authentication data 212 (a signature) is generated from payloaddata 340 by security component 304 using a key (not shown). According tothe embodiment, payload data 340, authentication data 212, and key ID342 are associated with DNS query 209 using EDNS(0) options 336, placingauthentication data 212 in one EDNS(0) option, payload data 340 in asecond EDNS(0) option, and key ID 342 in a third EDNS(0) option. Toclarify, while the structures of the EDNS(0) options 336 are defined byRFC 6891, the contents placed in within each option according to theembodiment are not defined by RFC 6891.

Upon receipt of DNS query message 208 by authenticating server 210 andaccording to the HMAC protocol, security component 335 may use key ID342 to retrieve a key 344 from a key store 346. Security component 335may then use key 344 to create new authentication data (a new signature,not shown) from payload data 340. Client 206 is authenticated ifsecurity component 335 compares the new signature to the originalsignature 212 and the signatures match.

Additional embodiments may employ the EDNS(0) options to containauthentication credentials that are appropriate for authenticationprotocols other than HMAC.

With client 206 authenticated, security component 335 may proceed toresolve DNS query 209 and retrieve information or classification data218 or 252 related to resolved IP address 216. In the embodiment, server210 may itself be a recursive resolver or it may forward the query to arecursive resolver server 214. Thus, in an embodiment, there may be twoservers 210, the first of which does authentication (and perhaps otherfunctions, such as load balancing), the second of which is a recursiveresolver server or may use yet another recursive resolver, wherein DNStraffic is sent between the two servers 210. Upon receipt of theresolved IP address 216, security component 335 sends a DNS responsemessage 230 to client 206, augmenting the response message withinformation or classification data 218 or 252 regarding the resolved IPaddress in text record with response data 226 that is included in anEDNS(0) option 328. In the embodiment, original query 209 may beincluded in the DNS response message as is usual in a normal DNSresponse.

An advantage of various embodiments is that the response to the originalquery includes the resolved IP address as well as, in the same message,the classification data and/or enterprise policy (e.g., in the EDNS(0)extensions), and the classification data may include data from multiplesources. The inclusion of both in the same response saves in networkperformance versus having to make separate requests for both theresolved IP address and the classification data and policy. Anadditional advantage of various embodiments results from the serverinterpreting a request for a single type query as including a requestfor other types of queries for the same domain. Thus, if the requestedtype of address is not available the client receives a different type ofaddress and need not send a second DNS query.

In an embodiment, response data 226 in the EDNS(0) option 328 mayinclude classification data 218 or 252 that security component 335retrieved from a classification data database 224 or 250 upon resolvingor receiving the resolved IP address 216. Client 206, upon receiving theDNS response message 230 with the text record 226, may compare, usingsecurity component 304, the classification data against one or moreenterprise policies 232 from a client enterprise policy database 234.The comparison may result in a determination that one or more of theenterprise policies prevents client 206 from continuing with acommunication to the resolved IP address 216. The comparison may resultin a determination that one or more of the enterprise policies advisesagainst client 206 from continuing with a communication to the resolvedIP address 216, while providing an option of continuing with acommunication. And the comparison may result in a determination thatclient 206 may proceed with a communication to the resolved IP address216. Thus, in embodiments, after sending a single DNS query message 208,client 206 may receive both a resolved IP address 216 and actionableinformation in response data 226 regarding IP address 211 in a singleDNS response message 230.

In an embodiment, the response data 226 may include a command that isimplemented by security component 304. The command may be generated by asecurity component 335 in server 210 after the security componentretrieved the classification data 218 or 252 from classification datadatabase 220 or 250 and compared the classification data against one ormore enterprise policies 222 from a policy database 224. The comparisonmay result in a determination that one or more of the enterprisepolicies 222 prevents client 206 from continuing with a communication toresolved IP address 216. The comparison may result in a determinationthat one or more of the enterprise policies advises against client 206from continuing with a communication to resolved IP address 216, whileproviding an option of continuing with a communication. And thecomparison may result in a determination that client 206 may proceedwith a communication to resolved IP address 216. Security component 335may include in the text record 226 a command that is based on one of thedeterminations, e.g.: do not communicate with the resolved IP address;communicating with the resolved IP address is advised against but isoptional (perhaps providing the user with an option); and communicationwith the resolved IP address is allowed. Thus, in embodiments, aftersending a single DNS query message 208, client 206 may receive both aresolved IP address 216 and a command controlling subsequent actions tobe taken regarding the IP address in a single DNS response message 230.

While EDNS(0) uses convenient protocol data units (PDUs), inembodiments, other protocols or custom code may be used to combine theinitial DNS query with authentication information, and to combine theresolved IP address with the text record in a DNS response message.

In the embodiment of FIG. 3 , DNS Query 209 is shown to request a Type Aresponse 338, which returns an IPV4 address for the domain of interest.The use of “Type A” is merely exemplary and the query could include anyof the various types of DNS requests, e.g., Type AAAA, or CNAME.

In an embodiment, the authentication of client 206 may be performed asfollows. Client 206 is provided a key (not shown) and security component304 creates payload data 340. Using the key, security component 304takes a hash of payload data 340 to create authentication data 212 (asignature). Security component 304 then combines authentication data212, payload data 340, and key ID 342 (designating the key used tocreate the signature) within DNS query message 208, each within its ownENDS(0) option 336. Security component 304 then forwards DNS querymessage 208 to server 210. Note that in embodiments using HMAC, payloaddata 340 is not encrypted. Rather payload data 340 is sent alongsideauthentication data 212 (the HMAC hash made using the key). Server 210uses key ID 342 to retrieve a key 344 from a key store 346. Server 210then takes a hash of payload data 340 using retrieved key 344, creatingnew authentication data (a new signature, not shown). The server thencompares the new signature to the received signature. When thesignatures match, client 206 is authenticated.

In an embodiment, enterprise policy 232 may be implemented on client 206by configuring client 206 to respond to response data 218 or 252according to the policy. For example, enterprise policy 232 may be toblock certain categories (e.g., phishing, offensive, etc.). The websitescan be associated with website categories (e.g., advertising, news,phishing, offensive). For example, an enterprise policy can indicatethat phishing categories should be blocked, so when the enterprisepolicy is applied the website that are associated with phishing will beblocked for users/devices associated with said enterprise.

In the embodiment of FIG. 3 , at authenticating server 210, ifcommunication with resolved IP address 216 is unauthorized after thecomparison of characterization data 218, 252 to one or more enterprisepolicies 222, then resolved IP address 216 may be replaced with adifferent, “blocking” IP address 217 that prevents accessing resolved IPaddress 216, and no classification data is included in the text response226, the server can provide a DNS response that either substitutes ablocking IP address for the resolved IP address or include a DNS RCODE(Response Code) which indicates that the requester will not receive anIP address, such as the NXDOMAIN Response Code, which indicates that thedomain name does not exist. Responding with NXDOMAIN for a domain thatdoes exist but which the client device is not allowed to access willprevent the client device from being able to access the domain. In anembodiment, the key associated with a DNS request can be used todetermine the enterprise policy associated with the request, based onthe enterprise policy a determination can be made whether to block an IPaddress, or resolve an IP address. For example, enterprise policy A canbe associated with key Z so when a request is made by a user and it isdetermined that the request is associated with key Z, it can bedetermined that the request is associated with enterprise policy A.Based on the determination that the request is associated withenterprise policy A, the request can be resolved or blocked.

In embodiments, the classification data for a resolved IP address may beincluded in a classification data database on server 210, on resolvingserver 214, on classification server 248, and on client 206.

In embodiments, the classification data for a resolved IP address may beprovided, in response to a request from server 210, by a third-partyservice to server 210 after the third-party service accesses its ownclassification data database. In embodiments, there may be multiplesources of classification data, e.g., from the primary vendor of the DNSplus classification service, from the enterprise using such a service,or from one or more third-party services. In such a case theclassification server 248 may map all classification results to a singleclassification taxonomy from the individual and different classificationtaxonomies used by the other sources of classification data. In somecases, there may be a disagreement amongst the different sources ofclassification data as to the classification of a particular domain orURL. In such an instance the classification server 248 chooses whichclassification to use by various methods. The classification server 248may choose to allow classifications from an enterprise source tooverride other classifications. The Classification Server 248 may chooseto employ a voting system to use the most frequent classification amongthe classification sources. The Classification Server 248 may choose touse the most conservative classification among the classificationsources; e.g., if only one of the several sources of classification dataindicate that a particular domain or URL is classified as “Phishing,”then the “Phishing” classification will be used to safeguard requestingclients. The Classification Server 248 may choose to use the most recentclassification data from the several sources of classification data.Additionally, when the Classification Server 248 sees such a conflict ordisagreement amongst the different sources of classification data, itmay initiate a real-time or scheduled security or content analysis ofthe domain or URL in question. The security or content analysis maydetermine an updated classification, which will be used by theClassification Server 248. In an embodiment, the choice of how theClassification Server 248 resolves conflicts or disagreements isdetermined by an enterprise policy.

In embodiments, authenticating server 210 may optionally be a recursiveDNS server. Recursive server 210 may review a cache 354 for the resolvedIP address in resolving query 209. Similarly, client 206 may review itsown cache 356 before sending DNS query message 208. Each such cache mayinclude resolved IP addresses, where the duration that such addressesare accessible being determined by a Time To Live value (TTL, e.g., FIG.6 , elements 632, 634) that is returned in a DNS response.

In embodiments, client 206 may be any of: a mobile communicationsdevice, a laptop, any computing device from which a user may browse anetwork, a smart speaker, a ‘thing’ in the Internet of Things, andsystem components between such devices and server 210, such as a router.Client 206, server 210, server 214, and server 248 may be connected bynetwork connections 360. Options for client 206 and network connections360 are discussed further within regarding FIG. 11 and FIG. 12 .

FIG. 4 is an exemplary block diagram of a system 400 for resolving adomain name according to an embodiment. In FIG. 4 , a security component206 on a router 204 uses EDNS(0) options 336 to combine theauthentication information (e.g., authentication data 212 payload data340, and key ID 342, where HMAC is being used) with original DNS query209. In FIG. 4 , the embodiment is described regarding router 404.However, router 404 is exemplary of any of a number of network devicesthat may receive DNS query message 208 from client 206 and modify thequery message according to the embodiment. In other embodiments, router404 may be replaced by, e.g., a hub, switch, bridge, gateway, modem,repeater, or access point.

In the embodiment of FIG. 4 , many system components and method elementsare the same as or similar to elements discussed with regard to FIG. 1through FIG. 3 . For convenience, like reference numbers refer to thesame element in the various figures. In FIG. 4 , client 206 addressesDNS query message 208 to server 210. In contrast to FIG. 3 , client 206does not add information to EDNS(0) options. En route to server 210, DNSquery message 208 is received 462 by router 404 in which a securitycomponent 406 creates authentication data 212 (a signature) by taking ahash of payload data 340 using a key. Router security component 406 thencombines authentication data (a signature), the payload data, and thekey ID with the DNS query message using EDNS(0) 336 options as discussedearlier. In an embodiment, the router adds the payload to the requestsent from a client. For example, a client (e.g., device in a homeoffice) can transmit a request to a router in a remote location (e.g.,enterprise office), the router can add a payload to the request allowingto client to resolve IP addresses that are associated with theenterprise office. The embodiment may be used, e.g., when the clientsends an unencrypted DNS request using UDP, or when router 404 has beenprovisioned with a certificate that allows it to man-in-the-middle theDNS message flow (if encrypted).

Transmission 464 sends DNS query message 208 to server 210, whichproceeds as discussed earlier to resolve IP address 211 (internally orvia communications 466, 468 with DNS server 214), acquire classificationdata 218 or 252 (via communication 470 with server 248), and includeresolved IP address 216 and the classification data within DNS responsemessage 230. Server 210 transmits 472 DNS response message 230 to router404 by security component 335. In router 404, security component 406 mayhave authority to make decisions for client 206 based on theclassification data 218 or 252 received from the server 210. Router 404may also access a router classification data database (not shown) orclassification database 250 on server 248. Security component 406 maythen compare the classification data against an enterprise policy 410for client 206 retrieved by router 404 from database 408. When thecomparison shows the classification data to meet the enterprise policy,or the comparison is agnostic or otherwise indeterminant, router 404forwards 474 DNS response message 230 to client 206. In an embodiment,security component 406 may forward 474 DNS response message 230 toclient 206 without security component 406 having compared classificationdata 218 or 252 against any enterprise policy 410 or otherwise modifyingDNS response message 230. In such an embodiment, security component 304,upon client 206 receiving DNS response message 230, may compare responsedata 226 against one or more enterprise policies 232 and implement therequired action as described earlier with regard to FIG. 1 through FIG.3 .

In various embodiments, server 210 may receive DNS query messages fromclients of more than one enterprise. In such embodiments, part of theauthentication procedure at server 210 associates the sending client 206with a particular enterprise. Thus, in the embodiments, the databases ofenterprise policies 408 may include policies from more than oneenterprise. In such an embodiment, additional steps in the methodperformed at server 210 include: associating client 206 with aparticular enterprise; and comparing the classification data of theresolved IP address to only those policies that are associated with theparticular enterprise.

In embodiments, the DNS query message may only need to go to a recursiveresolver, which then processes the query accordingly. In other words,there is no requirement that the query go to the root server, the TLDserver, and then to the authoritative server, because there may be cacheentries at the DNS recursive resolver that eliminate the need to performthose additional queries to the root server, the TLD server, or even theauthoritative server.

While embodiments may be discussed as using TCP to send the DNS querymessage, the use of TCP in the various embodiments is exemplary.Embodiments may also send DNS queries over TLS (DOT: DNS over TLS) orHTTPS (DOH: DNS over HTTPS) or DNS over Datagram Transport LayerSecurity (DTLS) or DNS over UDP. From the standpoint of the methodsdiscussed, they could be implemented using any of the protocols. DNSover TCP, while reliable, does experience a slight performance drop incomparison to the other protocols because setting up the TCP connectionrequires a few exchanges, among other things.

For example, in an embodiment, DOT (DNS over TLS) may be used as theconnection protocol. In the embodiment, performance may be improved bykeeping the DOT connection open. Furthermore, when there is one DNSresolution in a browsing scenario, that resolution is typically followedby significantly more. For example, a typical web page may include 20 ormore trackers, things such as scripts or images from different domains,and those additional addresses require resolution. So, when the firstdomain name is resolved, if the TLS connection is kept open, thesubsequent resolutions may proceed without duplicating the creation of aTLS connection. In other words, the resolution process could be repeatedon the open TLS connection.

In more detail, if an e-mail contains a link to a website, when thatlink is selected, and the mail client opens up a browser for that URL,the browser sees the whole path URL. The browser takes the domain andperforms a DNS resolution to determine the IP address to connect to.With the IP address the browser makes the HTTP connection to the IPaddress. The HTTP server responds with an HTML response—an HTML webpage. Such a web page typically includes a significant number ofadditional URLs. It may include URLs our of image tags, ULRs for stylesheets (e.g., CSS), URLs for scripts, and the scripts themselves maygenerate other URLs. The use of DNS pre-fetch may result in a browserobtaining DNS resolution of URLs before they are required by the useractivities, e.g., clicking on a link. In other words, an incredibleamount of DNS traffic may be created by accessing just one web page.Thus, if the TLS connection is kept open, and the subsequent resolutionsmay proceed without duplicating the creation of a TLS connection, thisresults in a significant performance enhancement.

FIG. 5 is a flow chart of a method 500 for preserving privacy whileresolving a domain name according to an embodiment. In FIG. 5 , in step502, a first server receives a query initiated by a client device for adomain name system (DNS) resolution of a domain name, with domain namebeing encrypted in the query. In step 504, the first server determinesthat the first server is authorized to process the query, or the firstserver determines that the sender of the query is authorized to accessthe first server. In step 506, the server begins to process the query.In step 508, the server anonymizes the query, e.g., by removing theidentity of the client device and adding a query identifier. In otherwords the server disguises the source of the query. In step 510, theserver sends the anonymized query to a second server for resolution,where the second server may be, e.g., a recursive server. In step 512,the first server receives from the second server a DNS response with thequery identifier and an IP address that is encrypted. Thus, the firstserver does not know the domain name or the corresponding resolved IPaddress in either the initial query or the subsequent DNS response. Instep 514, the first server associates the DNS response with the clientdevice, e.g., using the query identifier. And in step 516, the firstserver sends the DNS response with the encrypted IP address to theclient device for decrypting by the client device. In the processing ofthe query, method 500 optionally includes the following optional steps.The second server may retrieve and evaluate available classificationdata against a policy representation associated with the client device.For example, the second server may receive a representation of a policyassociated with the client device from the first server in theanonymized query. The second server may then search available databasesfor classification data. However, the second server may optionallyrequest that a third-party service provide any available classificationdata, or may provide the policy representation to a third-party serviceand request the third-party service perform the evaluation. The secondserver may also simply provide any available classification data to theclient without evaluation. And the second server may also provide onlyan encrypted IP address. In an additional optional step, when anevaluation results in a determination that the client device is notallowed to access the IP address, the second server may provide anencrypted DNS response that substitutes a blocking IP address for theresolved IP address or includes a DNS Response Code of NXDOMAIN. In anadditional optional step, when an evaluation results in a determinationthat the client device is allowed to access the IP address, or isindeterminant, or is not performed, the second server may provide anencrypted DNS response that includes the resolved IP address and theavailable classification data.

FIG. 6 is an exemplary block diagram of a system 600 for preservingprivacy while resolving a domain name according to an embodiment. InFIG. 6 , a client 206 may initiate DNS query 208 and receive DNSresolution 216 without any server involved in the resolution having anassociation of client 206 with DNS query 209. In other words, client206's browsing history remains private because the system and methoddivorce the knowledge of the client identity from the knowledge of thedomain that is the subject of the DNS query.

In the embodiment of FIG. 6 , when client 206 sends a DNS query 209,security component 304 substitutes an encrypted domain 606. For example,security component 304 may use a public key 604 of a resolving server603 to encrypt the domain that is the subject of query 209. Securitycomponent 304 may also include authentication information along with thequery. For example, security component 304 may use EDNS(0) options asdiscussed earlier. Security component 304 may then send 650 query 209 toan authenticating server 601. With the domain encrypted and without theresolving server public key, server 601 cannot know what domain is beingresolved. Server 601, however, may perform the authentication asdiscussed earlier. Based on the authentication and identity of client206, server 601 also performs a determination of what enterprise policyis to be applied to the eventually-resolved IP address by accessingdatabase 224. Server 601 includes, in DNS query message 208, arepresentation 616 of the determined enterprise policy or policies 222.Server 601 also includes, in the DNS query, a query identifier (queryID) 608 that server 601 has associated with client 206 (but which,outside of server 601, may not necessarily be used to identify client206). Query ID 608 may be an arbitrary label that server 601 creates andassociates with client 206 and the particular query 209. Representation616 of the policy may be, for example, a policy identifier thatresolving server 603 could use to retrieve a policy 222 from a policydatabase 224. Or, representation 616 could be more detailed, such as alisting of categories of allowed or blocked IP addresses. Server 601then forwards 652 the DNS query message 209 with encrypted domain 606 toserver 603 along with an encrypted client public key 612 (for later useby server 603), policy representation 616, and query ID 608.

Server 603 authenticates the response as originating from server 601,but does not authenticate client 206, having only query ID 608 toidentify the client. Server 603 decrypts query 209 and determinesdecrypted domain 614 is to be resolved. Thus, neither server 601 norserver 603 has both client 206 identity and decrypted domain name 614—nosingle server has that private information. Server 603 then proceeds toresolve the query as discussed earlier, which returns, e.g., the IPV4address of the domain for a Type A query. Additionally, server 603, uponresolving the IP address, may use representation 616 of the policy toretrieve the classification data 218 or 252, as discussed previously.Server 603 encrypts a resolved IP address 620 using decrypted clientpublic key 618. Server 603 also encrypts classification data 622included, e.g., in the text response data of EDNS(0) options 328. Server603 includes query ID 608 in DNS response message 624 and transmits 654message 624 to server 601.

On receipt of DNS response message 624, server 601 uses query ID 608included in the response message to determine the identity of client 206to which response message 624 should be sent. With the DNS resolutionwithin the DNS response message being encrypted 620 and with theresponse data of the text response also being encrypted 622, server 601does not know the resolved IP address. Nor does server 601 know theclassification data associated with the resolved IP address. Thus,server 601 still does not know decrypted domain 614 was the subject ofthe query. And server 601 does not have access to encryptedclassification data 622, which may be used to identify the nature of thedomain, if not the actual domain.

In an embodiment, server 601 may maintain query ID 608 in a database 610associated with the IP address of client 206, query 209, and otherinformation such as an identifier of a network connection with theclient and an identifier of a network connection with server 603. Withquery ID 608 included in the DNS response message by server 603, server601 may retrieve the associated client (client 206) from database 610.The process is similar to NAT forwarding, except in this case privacy ispreserved. Server 601 then transmits 656 DNS response message 624 toclient 206 (without including query ID 608).

When client 206 receives DNS response message 624, security component304 may use a client private key 628 to decrypt resolved IP address 620and response data 622 in the text response.

With regard to FIG. 6 , in the embodiment, client security component 304initially encrypts domain 606 and client public key 612 using public key604 of resolving server 603. In the embodiment, client 206 obtainspublic key 612 after connecting to server 601 and being informed byserver 601 that server 603 is the DNS resolve to which server 601directs DNS queries. Server 601 may then furnish client 206 with server603's certificate, with server 603's public key directly, or with server603's domain name or other identifier. Client 206 may then fetch acertificate and obtain server 603's public key.

In an embodiment, instead of using public key cryptography for every DNSquery, the first time server 603 receives a DNS query, server 603generates and encrypts (using client public key 618) a symmetric key 638and includes that key in the EDNS(0) options 328. Subsequent DNS queriesfrom client 206 may then use symmetric key 629 to encrypt the query datadestined for server 603. The subsequent use of symmetric keycryptography will speed up the DNS resolution process between client 206and server 603 since symmetric key cryptography is significantly fasterthan public key cryptography. By analogy, the use of symmetric keycryptography between server 603 and the client is similar to performinga TLS handshake between server 603 and the client through server 601.The client 206 and the server 603 can perform a process such as aDiffie-Hellman key exchange communicating through server 601 toestablish the symmetric key that will be used. In the embodiment, at notime does a single server know both the client identity and thedestination domain. In an embodiment the client 206 and the server 603may establish a different symmetric key at a later time, so that thesymmetric key itself cannot be used to perform long term browser historytracking. In an embodiment that uses public key cryptography for everyDNS query, the client 206 may provide a different public key in itstransmission.

Still regarding FIG. 6 . In embodiments, the privacy-preserving DNSproxies—server 601 and server 603—could be in the same data center inthe cloud, or could be separated. Also, server 601 and server 603 neednot be operated by the same entity. However, the use ofprivacy-preserving servers 601, 603 and the additional communicationsmay slow down the DNS resolution process.

In some embodiments, to reduce any negative impact on performance ofusing privacy-preserving servers 601, 603, knowledge of what the clientmay request next may be used to anticipate the next client request and,as a result, speed up the resolution process.

In one such embodiment using privacy-preserving servers 601, 603, server603 interprets a Type AAAA query (a request for an IPV6 address) as botha Type AAAA query and a Type A query (a request for an IPV4 address) forthe same domain. Thus, if an IPV6 address is not available, the clienthas the IPV4 address and need not send a second DNS query.

In a second such embodiment using privacy-preserving servers, server 603may have a machine learning module 630 that is trained by DNS querydata. Server 603 may employ machine learning module 630 to predict,using an initial DNS query 209, what subsequent DNS queries may follow.With regard to FIG. 6 , an embodiment of a system and method forpreserving client privacy in a DNS resolution may employ machinelearning module 630. In the embodiment, query ID 608 may also include anassociated session identifier (also stored in the query identifierdatabase 610 of server 601), which may be used by server 603 todetermine that multiple queries are associated with a single browsingsession. The session identifier may allow server 603 to identifymultiple destinations that are typically resolved after an initial DNSquery and during the same session as the initial DNS query. For example,machine learning module 630 may determine that when www.example.com isan initial DNS query, 95% of the time a certain set of other domains arethe subject of DNS queries during the same session. As a result, machinelearning module 630, upon the resolution of a domain from an initial DNSquery message, may query a database developed by machine learning module630. Machine learning module 630 may determine that there is a set ofassociated domains, the resolution of which is usually requestedfollowing the initial DNS query. Machine learning module 630 may thendirect security component 644 to include in DNS response message 624,along with encrypted IP address 620 of the initial domain, the encryptedIP addresses for each of the set of associated domains in one or moreEDNS(0) options. The ability of the embodiment to pre-fetch a set ofpredicted IP addresses based on an initial IP address may be asignificant time-saver and performance enhancement. In an embodiment,the use of the machine learning module 630 to supply multiple DNSresolutions and associated classifications may be implementedindependently of the use of privacy preserving servers.

In a third such embodiment, machine learning module 630, receiving theTime-to-Live (TTL) value for resolved IP address 620, may add that IPaddress and associated TTL value to a database 632 of resolved domain IPaddresses and the TTL values 634 provided along with the resolution. Theprovided TTL value indicates how long the resolved IP address is to livein the client's cache. From the data received from multiple resolutions,machine learning module 630 may add to database of provided TTL values632, a TTL value that represents an effective TTL of the IP address,which may be considerably longer than the provided TTL. In other words,machine learning module 630 may determine that an IP address tends to bemore stable than the provided TTL indicates. The difference between theprovided TTL and the effective TTL may be due to a practice, which isbecoming more common, in which a resolved IP address is given a TTLvalue that is unreasonably low. For example, TTL values of 6 and 12seconds are becoming common. There is a benefit to web server operatorsassociated with this practice—obsolete IP addresses time out of cachemuch faster, which allows for changes that web server operators make(such as moving a web server to a machine with a different IP address)propagate more quickly throughout the internet, but such changes arerelatively infrequent thus these extremely low TTLs are unneeded inpractice. But a negative effect of such low TTL values is that aresolved IP address ceases to exist in cache very quickly. As a result,there is likely to be a subsequent DNS query for that recently-expiredIP address. Where machine learning module 630 receives a resolved IPaddress, it may consult its associated database 632 and determine thatthe effective TTL of the IP address is significantly longer than theprovided TTL. Machine learning module 630 may then substitute theeffective TTL, or a value for the TTL between the published TTL valueand the determined effective TTL, for the provided TTL in DNS responsemessage 624. Thus, resolved IP address 216 may remain in client cache356 long enough to avoid one or more subsequent DNS queries for thedomain. For example, where a provided TTL might be 6 seconds forwww.example.com. If machine learning module 630 determines that aneffective TTL is 1 minute, then upon resolving www.example.com, machinelearning module 630 may change the TTL in the DNS response message to 1minute. This substitution may eliminate 9 subsequent DNS requests toresolve www.example.com by the 64 second extension of the effective TTL.In some embodiments, the substitution may require server 601 convey toserver 603 a pre-existing user permission or a policy that allows forthe substitution, e.g., along with the policy data.

Furthermore, in an embodiment, longer TTL values may be substituted forthe provided based on characteristics of the client device. For example,if a mobile communications device or a laptop is operating with a lowbattery, the substitution of a longer TTL for the provided TTL valuecould result in reducing the number of possible DNS queries sent by thedevice. In another example, a poor connection between the client deviceand the server may benefit from having to transmit fewer DNS queries, iflonger TTL values are substituted.

FIG. 6 may be used to discuss a fourth such embodiment in which the EDNSclient subnet (ECS) standard is used along with EDNS(0) to include somelimited information about client 206 location in DNS query message 208as it is sent from the client to server 601 to server 603. Because manywebsites use Content Delivery Networks (CDNs) there may be manydifferent copies available of a website around the network. Withoutinformation regarding the location of client 206, server 603 maydetermine that there are a number of potential resolutions of thedomain. As a result, server 603 may supply a resolved IP address that isless than optimally located with respect to client 206. For example, inthe absence of ECS information in a DNS query, an authoritative resolver(or an intermediate recursive resolver), might choose a server which isclose to the requesting recursive resolver, which may be very far fromthe actual client device itself. In contrast, with even limited clientlocation information, server 603 may resolve a DNS query with the IPaddress that is nearest to the client, or at least nearer. In theembodiment, ECS may be used by security component 304 of client 206 toinclude a partial client IP address 636, unencrypted, in an EDNS(0)option 336 of DNS query message 208. For example, partial client IPaddress 636 may be the first 8 or 16 bits of an IPv4 address, which isequivalent to providing a general IP address neighborhood. With partialclient IP address 636, server 603 may be better able to respond with theclosest resolved IP address. Thus, in the embodiment, and, perhapsrequiring user approval or an approving enterprise policy, client 206includes ECS information in the original DNS query. The user preferenceor enterprise policy may allow ECS information to be used, or mayprohibit ECS information from being used, or may allow a widened (lesslocalized) ECS information to be used, or may separately specify suchECS policies differently for different domains, or a combination of theabove. The operation of widening ECS information is the process ofdecreasing the size of the subnet value in the ECS information torepresent a subnet that includes more IP addresses, thus reducing theability for a receiver of ECS information to highly localize the clientin a privacy invasive manner, which still retaining the benefit of beinglocalized enough so that an optimal server can be chosen for DNSresolution. In an embodiment the widening process may involve reducingthe subnet value by a fixed amount, or may use information about thegeographic distribution of IP addresses to widen the ECS information(reduce the subnet value) so that the result still corresponds to thesame general area, such as city or county, where the client IP addressactually is. Where an enterprise policy 232 is controlling, that policymay prevent the inclusion of ECS information in the DNS query. Inaddition, the policy may allow the inclusion of ECS information fromsome clients but not for others, due perhaps to the location of a clientas being associated with an enterprise server, with the result thatdivulging the ECS information for client 206 could lead to theassociation of the DNS query with the enterprise. Thus, user preference,enterprise policy, or both may be used to prevent or limit the sendingof ECS information with DNS query message.

A benefit of embodiments in which the DNS query is encrypted and routedto server 603 is that the routing to server 603 prevents what is knownas “DNS hi-jacking.” DNS hi-jacking may be performed by Internet ServiceProviders (ISPs) or mobile network operators (MNOs) who collect and sella user's browsing history. DNS hi-jacking occurs when the ISP or MNOdiscovers a DNS query on a network (traditional DNS queries are sentunencrypted and are easily observed and can be modified) and changes thequery to direct it to a different, preferred DNS server. Embodimentsprevent DNS hi-jacking because the communications are encrypted, e.g.,DOT:DNS over TLS. In such embodiments, external actors (ISPs, MNOs) arenot able to determine who the client is or the domain that is thesubject of the DNS query until after the connection is actually made. Asa result, the privacy of the client is enhanced.

In embodiments, a benefit of having resolved IP address 216 andclassification data in the same DNS response message is that theclassification data database may include the classification dataassociated with both domain name 614 and resolved IP address 216. Thisbenefit applies to the various embodiments as discussed with regard toFIG. 1 -FIG. 5 . The benefit is that additional classification data maybe generated based on associations formed by newly-resolved IPaddresses. For example, an exemplary domain name may not be associatedwith any negative classification data. However, the resolved IP addressfor the exemplary domain name may be very similar to or the same as oneor more other IP addresses for which there is substantial negativeclassification data. In such a situation, the substantial negativeclassification data may be imputed to the resolved IP address for theexemplary domain name based on the similarity of the resolved IPaddress. This might be considered a “transitive” classification schemethat imputes classification data based on the degree of similarity of IPaddresses. Subsequently, an enterprise policy may determine whether ornot the resolved IP address should be blocked or allowed based on anapplication of the policy to the imputed classification data. Forexample, suppose a client had previously visited “baddomain.com” and theresolved IP address was 1.2.3.4 with classification data stating,effectively: “This is not some place you want to go—this is a knownmalware site or phishing site.” That resolution provides a link betweenthe negative classification data of baddomain.com and IP address1.2.3.4., and the link may be stored in classification database(s) 218,250, 640. Subsequently, if a DNS query for “reasonable.com” returns theresolved IP address 1.2.3.4, even if there is no classification data forreasonable.com, security component 644 may include in DNS responsemessage 624 the negative classification data from IP address 1.2.3.4. Inaddition, the classification database may be continually dynamicallyupdated with links between domain names and IP addresses as DNS queriesare resolved. Thus, for example, the embodiment provides for imputingnegative classification data in the case of phishers that host multipledomains on the same IP address (e.g., the same server), the same ASN, orin the same subnet, as determined by the IP address being relativelyclose.

FIG. 7 is a flow chart of a method 700 for assessing a uniform resourcelocator (URL) according to an embodiment. In FIG. 7 , in step 702, afirst server receives query from a client device. The query includes afull URL and a request for classification data associated with the fullURL. And the query is received before the client device accesses theURL. In step 704, the first server anonymizes the query by removing fromthe query identification of the client device and adding a queryidentifier. In step 706, the first server sends the anonymized query toa second server. In step 708, the first server receives classificationdata associated with the URL from the second server along with the queryidentifier, where the classification data may include any of, e.g., anassessment of the URL, classification data associated with the URL, or acommand regarding the access of the URL by the client device. In step710, the first server associates the classification data with the clientdevice using the query identifier. And in step 712, the first serverresponds to the query by sending the classification data to the clientdevice, where the client device evaluates the classification data todetermine whether to access the URL.

In a further embodiment of method 700, in step 702, when the firstserver initially receives the query, the URL is encrypted and the queryalso includes an encrypted client public key. The second server, onreceiving the query, decrypts the URL and client public key. Forexample, the URL and client public key may be encrypted using the secondserver's public key. In step 708, when the first server receivesclassification data, the classification data is also encrypted. Forexample, the second server may encrypt the classification data using theclient's decrypted public key. Thus, in the embodiment, the first serverdoes not know the destination URL or classification data, and the secondserver does not know the identity of the client device. In an embodimentsimilar to the one described above, a symmetric key can be establishedbetween the client and the second server to encrypt communicationsbetween these two parties.

FIG. 8 is an exemplary block diagram of a system 800 for assessing auniform resource locator (URL) according to an embodiment. In FIG. 8 , abrowser security component 804 is embedded in either the operatingsystem 806 or browser application 808. Operating system 806 or browserapplication 808 each have access to a resolve full URL 810 before thebrowser initiates a communication with a website 812 identified by fullURL 810 on a third-party server 814. Thus, security component 804embedded in operating system 806 or browser application 808 may receivefull URL 810, before browser 808 initiates a communication with the URLfrom operating system 806 or browser application 808. As a result,security component 804 may transmit 870 a URL query 816 that includesfull URL 810 to a privacy-preserving server 818 with a request for anassessment of full URL 810.

A security component 824 on privacy-preserving server 818 may thenassociate a query identifier (query ID 820) with the request and client206, add query ID 820 to URL query 816, and associate query ID 820 withclient 206 in a database 822. Security component 824 may also removefrom URL query 816 any information that may identify client 206, andtransmit 872 query 816 to an assessment component 826 executing on anassessing server 828.

Assessing server 828 receives URL query 816, full URL 810, and query ID820, but not the identity of client 206. Assessment component 826retrieves full URL 810 and retrieves associated classification data 830(or assessment data) regarding full URL 810 from one or both of anassociated classification data database 832, or from a third-partyclassification data database (not shown). Assessment component 826 thenadds classification data 830 and query ID 820 to a URL Response 834 andtransmits 874 URL response 834 back to privacy-preserving server 818.

Security component 824, using query ID 820 in URL response 834 anddatabase 822, determines that client 206 is the proper recipient ofclassification data 830 and transmits 876 URL response 834 to client206. Browser 808 may be instructed to wait for an assessment fromsecurity component 804 before initiating contact with the URL.

In this manner, the use of two servers, the first being anonymizing,privacy-preserving server 818, is much like the embodiments referred towith regard to FIG. 1 through FIG. 7 in that the first server is ananonymizing server or proxy, the use of which prevents the results ofthe second server from being associated with the client. Also, similarto the embodiments of FIG. 1 through FIG. 7 , classification data 830may be used by both privacy-preserving server 818 and client 206. Inthat regard, classification data 830 may include a variety ofassessments including: whether to block access, whether to allow access,and data regarding URL 810 that may allow another security component tomake a determination as to whether to block or allow access. Thus,classification data 830 may be compared by security component 824against an enterprise policy 836 in a database 838 that is associatedwith client 206. The comparison may result in URL response 834 includingan assessment or command regarding whether client 206 may access URL810. If the comparison is agnostic or otherwise indeterminate, thecomparison may result simply in classification data 830 being forwardedto client 206, at which point security component 804 may compareclassification data 830 against an enterprise policy 840 associated withclient 206 in a database 842 to determine whether client 206 is allowedto access URL 810.

In the embodiment described with respect to FIG. 8 , privacy-preservingserver 818 has knowledge of both full URL 810 and client 206. This wouldnot be an issue if the privacy-preserving server were completelytrusted, e.g., if the server were an Apple server that knows it is theonly server allowed to see the full URL and know the identity of theclient. Also, in the embodiment, privacy-preserving server 818 may be anenterprise server associated with client 206, or not. Andprivacy-preserving server 818 may be operated by the browser vendor, theOS vendor, or a third party independent organization. The function ofprivacy-preserving server 818 is to divorce the identity of client 206from the assessment of URL 810. For this, privacy-preserving server 810may be associated in some way with client 206, just so long as theassociation between the server and client does not, by itself, identifythe client more than is desirable. For example, shouldprivacy-preserving server 818 be associated with a company such asApple, client 206 may potentially be identified as a user of an Appledevice, which would generally not be considered a loss of privacy.However, if privacy-preserving server 818 were associated with a verysmall enterprise, the identity of client 206 may be one of only a smallnumber of devices, which may not adequately preserve privacy. In theembodiment, assessing server 828 may be a third party server thatperforms assessments of URLs. In addition, because privacy-preservingserver 818 knows the identity of client 206 and has access to full URL810, security component 824 may perform the assessment of full URL 810using an associated database 866 to retrieve classification data 868.

Data Loss Prevention (DLP) is the practice of detecting and preventingdata breaches, exfiltration, or unwanted destruction of sensitive databy detecting and blocking sensitive while in use (endpoint actions), inmotion (network traffic), and at rest (data storage). Organizations canuse DLP to protect and secure their data in addition to complying withregulations. Enterprises can protect data on devices like PCs,especially such devices are operating inside a network perimeter, usingtraditional DLP (Data Loss Prevention) solutions. Many such solution areable to examine communications to/from the device and to match the databeing sent/received against definitions of types of sensitive data.However mobile devices have operating systems which do not support suchinspection of data being sent received.

In an embodiment, two certificates can be placed on a mobile devicewhich allows for inspection of communication on a mobile device for aselect communication paths. A matching operation against types ofsensitive data (regexes, similarity to known sensitive content, etc.) isthen possible. Privacy can be preserved by only sending off the devicean indication of what type of data matched the content. Later admin canrequest what actual data (from the device), with or without userconsent.

In an embodiment, a signing certificate can be placed on device (e.g.,in the certificate store). In response to a network request identifiedas requiring an inspection (e.g., determined by device, determined bythe enterprise policy, determined by the security component, determinedby DLP policy), the request can be intercepted and a destinationcertificate can be created on the device. For example, if a deviceattempts to access abc.com and it is determined this request should beintercepted, a local destination certificate for abc.com can be createdusing the signing certificate on the device. The request to abc.com canbe received by a component on the device and because the abc.comcertificate (local destination certificate) can be validated by thedevice as authentic the request can be viewed by the component on thedevice. Once the request is reviewed by the component the request can betransmitted to abc.com.

In some embodiments, after the request is intercepted and it isdetermined that intercept is no longer required in the session, aredirect request can be sent and the communication between the deviceand the destination server (e.g., abc.com) can direct without theinterception from the security component.

In at least one embodiment, the signing certificate can be unique to theindividual device. Since the signing certificate can generate trustedcertificates, and the security component can be configured to accepttrusted certificates associated with specific signing certificates thereis security risk to having a signing certificate compromised. Therefore,it is preferable to have signing certificates unique to the individualdevices. In the event that the signing certificate is compromised, thesigning certificate unique to the individual device would not be a riskto other device. For example, device A can be associated with signingcertificate A, and device A is configured to trust certificates signedby signing certificate A; device B can be associated with signingcertificate B, and device B can be configured to trust certificatessigned by signing certificate B. In the example, if signing certificateas comprised and used to generate a trusted certificate Z, the trustedcertificate Z would not be identified as valid by device B, because thesigning certificate associated with device B is signing certificate Band not signing certificate A.

In some embodiments, the intercepted request and/or communication can bereviewed in accordance with the DLP policies. In at least oneembodiment, the DLP policy can be stored on a security server and sentto the device based on the destination associated with a request. Forexample, if the intercepted communication is determined to be with afinancial institution then the DLP policy associated with the financialinstitution communication can be pulled/pushed from a server oridentified on the device; the communication can be analyzed inaccordance with the appropriate DLP policy. The analysis can beperformed locally on device in a privacy preserving manner.

In at least some embodiments, the determination of the appropriate DLPpolicy can be based on the analysis of the DNS request. The analysis ofthe DNS request can include determining the enterprise policy based onthe authentication information associated with the DNS.

In at least one embodiment, the DLP policy can be configured forphishing and content protection. In at least one embodiment, the DLPpolicy can configured to review domains that are identified as graydomains. A gray domain is a domain that contains both URLs withlegitimate content and phishing content. For example, if a domainidentified as a gray domain the communication can be intercepted and thesite being accessed can be analyzed to determine whether it includesphishing content, or other content identified as problematic by the DLPpolicy. In response to determining that the content is phishing content,the DLP policy can indicate that the site should be blocked, input canbe blocked, or other security action can be taken. In at least oneembodiment, the DLP policy can include analysis of traffic associatedwith browser extensions. In an embodiment the DLP policy can beconfigured to review domains that are identified as unknown domains(domains which have not been previously encountered and analyzed for aclassification), or domains that are identified as recent domains(domains which were registered at a domain register within a thresholdperiod of time, such as domains that are less than 30 days old).

FIG. 9 is an exemplary block diagram of a system 900 for assessing auniform resource locator (URL) according to an embodiment. FIG. 9 may beimplemented using the system of FIG. 8 , and using many of the steps ofFIG. 7 and FIG. 8 . In FIG. 8 , the privacy-preserving server was givenknowledge of both the full URL and the client identity. In FIG. 9 ,privacy-preserving server 818 is given knowledge of client 206, but isnot given a full URL 956, and also is not allowed access to a decryptedassessment 964.

In the embodiment discussed with regard to FIG. 9 , security component804 may create an assessment query 944 that includes an encrypted URL946 using a public key 948 associated with assessing server 828.Security component 804 may include in assessment query 944 a clientpublic key 950 for assessing server 928. This may be done as describedabove with regard to FIG. 1 through FIG. 6 and the use of public andprivate keys, but without resort to the use of the EDNS(0) protocols.URL query 944 is then transmitted 978 to privacy-preserving server 818.Subsequently, after removing reference to client 206, privacy-preservingserver 818 may transmit 980 URL query 944 with encrypted full URL 946and a query ID 952 associated with client 206 to assessing server 828.Assessing component 826 may decrypt query 944 and client public key 958using an assessing server private key 954 to obtain full URL 956 andperform an assessment as described above with regard to FIG. 1 -FIG. 8 .Subsequently, assessing component 826 may encrypt the classificationdata 958 and transmit 982 a URL response 960 back to privacy-preservingserver 818, which transmits 984 encrypted classification data 958 on toclient 206 as described before with regard to FIG. 8 . Client securitycomponent 804 may then use client private key 962 to decryptclassification data 964 and proceed as described above with theclassification data as it related to URL 956. Thus, in this embodiment,privacy-preserving server 818 only has knowledge of client 206, but doesnot see full URL 956, and does not see decrypted assessment 964.

A benefit of the embodiments of browser protection while preservingprivacy is that database 832 may be a dynamic database built byassessing server 828 with full URLs and associated assessments from thecollective results of the assessments from a population of clients. Fromsuch a dynamic database a list of assessed URLs (e.g., URLs that arewhitelisted or blacklisted) may be deployed to one or more of theclients of the population. The list is dynamic in the sense that thedatabase may be updated after every assessment. For example, client Aand client B may be associated with an enterprise. Client A may have asecurity component with a content blocker that is based on a list fromthe dynamic database. Client B may be using the content assessment andDNS resolution method as described above and an embodiment of browserprotection while preserving policy. With client B sending all of itsfull URLs to assessing server 828 for assessments, assessing server 828and assessment component 826 continually update database 832 makingdatabase 832 a dynamic list of URLs that may be common or otherwiserelevant to clients of the same enterprise. From database 832, assessingcomponent 826 may compile a list of full URL assessments (e.g.,whitelisted and blacklisted URLs) and return that list to enterpriseclient A through privacy-preserving server 818. Subsequently, thesecurity component on client A may publish the list to other clientsassociated with the enterprise. In embodiments, when a clientauthenticates the authenticating server, the list may be provided to theclient, or an authorization token for some server may be granted to theclient, which can at any (or multiple) later times allow the client toconnect to the authentication server or some other server to obtain thelist.

In embodiments, an ability to refresh the list of full URLs to beblocked exists in, for example, content filtering extensions in abrowser, or browser extensions which do not have a WebRequest Blockingcapability. Such extensions provide a list of URLs to be blocked to thebrowser, and the browser uses this list itself to determine whether aURL should be blocked or not. While these do not allow constant updates,they do allow periodic updates. Such periodic updates would cover thesituation where, from assessment requests by protected devices, e.g.,the CEO, etc., it is determined that an enterprise is being targeted.From the enterprise-specific assessments, assessing component 726 mayprovide, to clients associated with the enterprise, updated blacklists,whitelists, or content filters. In at least one embodiment, the full URLcan be viewed based on the DLP policy.

Furthermore, in embodiments, the systems include various pieces ofnetwork architecture, such as firewalls, secure web gateways, CASBs, andother elements that may perform their own protective blocking. Asassessing component 826 discovers full URLs that should be blocked, orthat might be targeting the enterprise, etc., the network architecturemay be provided with updated blacklists, whitelists, or content filters.

With regard to FIG. 7 through FIG. 9 , the various embodiments may alsouse the methods discussed previously to authenticate client 206 withprivacy-preserving server 818.

In an embodiment, while browsers extensions do not typically send DNSresolution requests, they do contact IP addresses. In this embodiment,outgoing IP addresses of browser extensions may be evaluated in a manneranalogous to the evaluation described above of full URLs. In theembodiment, the outgoing IP address may, in advance of connecting withthe IP address, be checked to determine whether the addition of theextension should be permitted or denied. For example, the IP address maybe checked against a list of known-bad IP addresses (a blacklist) orknown-good IP addresses (a whitelist), or the IP address may beevaluated using retrieved classification data against a policyassociated with the client device to determine whether the extensionshould be allowed. Furthermore, any information received about the IPaddress and the browser extension, good or bad, may be shared with otherdevices, such as enterprise-related devices.

In embodiments, the security component on the client device may beimplemented as a browser extension, e.g., in desktop browsers, or in thefew mobile browsers that support extensions. In embodiments, thesecurity component on the client device may be implemented as the DNSresolver in the operating system, e.g., in Windows, or MacOS, orChromeOS, or iOS, etc. Furthermore, in embodiments, the securitycomponent on the client device may be implemented in both the device'sDNS resolver and in a browser extension, in which case the twoimplementations of the security component may share or exchangeinformation between themselves. For example, the browser extensionversion of the security component sees the full URL as part of adetermination of whether the URL is safe. With domain name that istypically in the URL, the browser extension version can send the domainname to the DNS resolver version in order to receive classification dataas discussed previously. Should the full URL include the IP address,that too, may be communicated to the DNS resolver version in order toreceive classification data as well. Thus, with a security componentimplemented in both the DNS resolver and in a browser extension, theclient device may receive from the first server classification dataregarding whether the URL is safe and classification data regardingwhether the domain name or IP address in the URL is also safe.

FIG. 10 is a flow chart of a method 1000 for preventing password re-useaccording to an embodiment. The negative aspects of password re-use arenot necessarily limited to re-use of the entire password. When a userre-uses part of a password in combination with something else, there-used part may be correlated between passwords and contribute to anunauthorized access of the user's account. For example, a user may havea habit of creating passwords using their name spelled backwards, theirbirthday in reverse order and then the name of the website associatedwith the account.

Embodiments of a secure service for detecting and preventing passwordre-use may be implemented as a service in the operating system, abrowser, or otherwise in a password manager.

In an embodiment, password security may be achieved by not storing thepasswords or the usernames themselves. Instead, the destination (anapplication name or a destination host name, which may optionally behashed) may be associated with a hash of the password and a hash of theuser. The three may be stored in a database accessible to the service.When the service is implemented on a user device, the storage locationmay be a secure location, e.g., a secure enclave processor for iOS, orthe Trusted Execution Environment (TEE) of Android. In an embodiment,the service may be implemented on a server or other piece of networkarchitecture. In the embodiment, the service may be queried when a user,e.g., user1, enters a new password. When a new password, e.g., p/w1, isentered for a destination, e.g., xyz.com, a security component may takea hash of the password, a hash of the destination, and a hash of theusername, and send an association of the three to the service. Theservice may then compare the hash of the new password to password hashesstored in the database. If the comparison determines that no hash in thedatabase matches the hash of the new password, then the new password maybe allowed and the service informs the security component accordingly.If the comparison shows that one or more hashes in the database matchthe hash of the new password, then the hash of the username is comparedto the username hashes in the database associated with the matchingpassword hashes to determine if the new password has been used by usedbefore. If none of the username hashes associated with matching passwordhashes match the hash of user1, then the new password may also beallowed (because user1 has not used the new password before, even thoughanother user has) and the service informs the security componentaccordingly.

Thus, in an embodiment of a method 1000 illustrated in FIG. 10 , in step1002 a password security service operating on a server receives fromclient device, a user name, password, and destination host. The securityservice creates a hash of the user name (h/username), a hash of thepassword (h/password), and, optionally, a hash of the host name(h/hostname). In step 1004, the security service associates theh/username, h/password, and hostname or h/hostname. In step 1006, thesecurity service accesses a service database and compares the h/passwordto the password hashes in the database. In step 1008, when h/passworddoes not match any password hash in the database, the service informsthe client device that the password is allowed. In step 1010, whenh/password matches one or more password hashes in the database, h/useris compared to the username hashes associated with the matched passwordhashes from the database. In step 1012, when h/username does not matchany of the username hashes associated with the matched password hashes,then the service informs the client device that the password is allowed.Otherwise, the service informs the client device that the password isnot allowed.

The embodiment of FIG. 10 reflects an enterprise policy that allows thesame password to be used once by any user. In an embodiment, anenterprise policy may prevent a password from being used by more thanone enterprise user. For example, the policy may be based on the ideathat if more than one user has the same password, then the password iseither being shared, or is not sufficiently complex. In the embodiment,the database accessible by the service may be limited to storing datafrom only enterprise users. Or, the database may store data for multipleenterprises and each password hash may also be associated with anenterprise (and the enterprise may itself be optionally hashed forincreased security). For example, the database may store hashes of thepassword (h/pw1), the destination (h/xyz.com), and the user (h/user1),associated with the enterprise (hash optional). In an embodiment, if,upon the service receiving hashes of the new password and the usernameand the enterprise (optionally hashed), a comparison determines that nopassword hash in the database matches the hash of the new password, thenthe new password may be allowed and the service informs the clientdevice accordingly. If the comparison shows that one or more passwordhashes in the database match the hash of the new password and one of thematching password hashes is also associated with the same enterprise asthe user (user1), then the new password is rejected and the serviceinforms the client device accordingly. In an embodiment in which thedatabase is limited to a single enterprise, the security component wouldnot need to include the enterprise along with the association of thepassword hash and username hash. In this embodiment, if the comparisonshows that one or more password hashes in the database match the hash ofthe new password, then the new password is rejected and the serviceinforms the security component accordingly.

In embodiments, an enterprise may have a policy allowing an arbitrarynumber of users to use the same password. In embodiments, the number oftimes a user may be allowed to re-use a password may be an arbitrarynumber other than zero.

In embodiments, the username and password may be hashed together andcompared to similar username/password hashes in the database. In thisembodiment, the username functions as a salt making the password,itself, unsearchable. Such an embodiment would prevent the user fromre-using the password, but would not provide for preventing the generalre-use of the password.

Thus, the several embodiments maintain security by storing hashes of theusername and password. In embodiments above in which classification dataand DNS resolutions (e.g., IP addresses) are both supplied, if userpreferences or enterprise policy for a classification are such that thedomain or URL should be blocked, then rather than returning IP addressesthe recursive resolver may remove the IP addresses and use a DNSResponse Code of NXDOMAIN to accomplish the effect of blockingcommunication to that domain.

FIG. 11 is an exemplary block diagram depicting an embodiment of systemfor implement embodiments of methods of the disclosure. In FIG. 11 ,computer network 1100 includes a number of computing devices 1110 a-1110f, and one or more server systems 1120 coupled to a communicationnetwork 360 via a plurality of communication links 1130. Communicationnetwork 360 provides a mechanism for allowing the various components ofdistributed network 1100 to communicate and exchange information witheach other.

Communication network 360 itself is comprised of one or moreinterconnected computer systems and communication links. Communicationlinks 1130 may include hardwire links, optical links, satellite or otherwireless communications links, wave propagation links, or any othermechanisms for communication of information. Various communicationprotocols may be used to facilitate communication between the varioussystems shown in FIG. 11 . These communication protocols may includeTCP/IP, UDP, HTTP protocols, wireless application protocol (WAP),BLUETOOTH, Zigbee, 802.11, 802.15, 6LoWPAN, LiFi, Google Weave, NFC,GSM, CDMA, other cellular data communication protocols, wirelesstelephony protocols, Internet telephony, IP telephony, digital voice,voice over broadband (VoBB), broadband telephony, Voice over IP (VoIP),vendor-specific protocols, customized protocols, and others. While inone embodiment, communication network 360 is the Internet, in otherembodiments, communication network 360 may be any suitable communicationnetwork including a local area network (LAN), a wide area network (WAN),a wireless network, a cellular network, a personal area network, anintranet, a private network, a near field communications (NFC) network,a public network, a switched network, a peer-to-peer network, andcombinations of these, and the like.

In an embodiment, the server 1120 is not located near a user of acomputing device, and is communicated with over a network. In adifferent embodiment, the server 1120 is a device that a user can carryupon his person, or can keep nearby. In an embodiment, the server 1120has a large battery to power long distance communications networks suchas a cell network or Wi-Fi. The server 1120 communicates with the othercomponents of the personal mobile device system via wired links or vialow powered short range wireless communications such as BLUETOOTH. In anembodiment, one of the other components of the personal mobile devicesystem plays the role of the server, e.g., the watch 1110 b, the headmounted device or glasses or virtual reality or augmented reality device1110 d, the phone or mobile communications device 1110 c, the tablet1110 e, the PC 1110 a, and/or the vehicle (e.g., an automobile, or othermanned or unmanned or autonomous vehicle for land or aerial or aquaticoperation) 11110 f. Other types of computing devices 1110 include otherwearable devices, devices incorporated into clothing, implantable orimplanted devices, ingestible devices, or ‘things’ in the internet ofthings, which may be sensors or actuators or mobile or sessile devices,or hubs or servers controlling such ‘things’ or facilitating theircommunications.

Distributed computer network 1100 in FIG. 11 is merely illustrative ofan embodiment incorporating the embodiments and does not limit the scopeof the invention as recited in the claims. One of ordinary skill in theart would recognize other variations, modifications, and alternatives.For example, more than one server system 1120 may be connected tocommunication network 360. As another example, a number of computingdevices 1110 a-1110 f may be coupled to communication network 360 via anaccess provider (not shown) or via some other server system.

Computing devices 1110 a-1110 f typically request information from aserver system that provides the information. Server systems bydefinition typically have more computing and storage capacity than thesecomputing devices, which are often such things as portable devices,mobile communications devices, or other computing devices that play therole of a client in a client-server operation. However, a particularcomputing device may act as both a client and a server depending onwhether the computing device is requesting or providing information.Aspects of the embodiments may be embodied using a client-serverenvironment or a cloud-cloud computing environment.

Server 1120 is responsible for receiving information requests fromcomputing devices 1110 a-1110 f, for performing processing required tosatisfy the requests, and for forwarding the results corresponding tothe requests back to the requesting computing device. The processingrequired to satisfy the request may be performed by server system 1120or may alternatively be delegated to other servers connected tocommunication network 360 or to other communications networks. A server1120 may be located near the computing devices 1110 or may be remotefrom the computing devices 1110. A server 1120 may be a hub controllinga local enclave of things in an internet of things scenario.

Computing devices 1110 a-1110 f enable users to access and queryinformation or applications stored by server system 1120. Some examplecomputing devices include portable electronic devices (e.g., mobilecommunications devices) such as the Apple iPhone®, the Apple iPad®, thePalm Pre™, or any computing device running the Apple iOS™, Android™ OS,Google Chrome OS, Symbian OS®, Windows 10, Windows Mobile® OS, Palm OS®or Palm Web OS™, or any of various operating systems used for Internetof Things (IoT) devices or automotive or other vehicles or Real TimeOperating Systems (RTOS), such as the RIOT OS, Windows 10 for IoT,WindRiver VxWorks, Google Brillo, ARM Mbed OS, Embedded Apple iOS and OSX, the Nucleus RTOS, Green Hills Integrity, or Contiki, or any ofvarious Programmable Logic Controller (PLC) or Programmable AutomationController (PAC) operating systems such as Microware OS-9, VxWorks, QNXNeutrino, FreeRTOS, Micrium μC/OS-II, Micrium μC/OS-III, Windows CE,TI-RTOS, RTEMS. Other operating systems may be used. In a specificembodiment, a “web browser” application executing on a computing deviceenables users to select, access, retrieve, or query information and/orapplications stored by server system 1120. Examples of web browsersinclude the Android browser provided by Google, the Safari® browserprovided by Apple, the Opera Web browser provided by Opera Software, theBlackBerry® browser provided by Research In Motion, the InternetExplorer® and Internet Explorer Mobile browsers provided by MicrosoftCorporation, the Firefox® and Firefox for Mobile browsers provided byMozilla®, and others.

FIG. 12 is an exemplary block diagram depicting a computing device 1200of an embodiment. Computing device 1200 may be any of the computingdevices 1110 from FIG. 11 . Computing device 1200 may include a display,screen, or monitor 1205, housing 1210, and input device 1215. Housing1210 houses familiar computer components, some of which are not shown,such as a processor 1220, memory 1225, battery 1230, speaker,transceiver, antenna 1235, microphone, ports, jacks, connectors, camera,input/output (I/O) controller, display adapter, network interface, massstorage devices 1240, various sensors, and the like.

Input device 1215 may also include a touchscreen (e.g., resistive,surface acoustic wave, capacitive sensing, infrared, optical imaging,dispersive signal, or acoustic pulse recognition), keyboard (e.g.,electronic keyboard or physical keyboard), buttons, switches, stylus, orcombinations of these.

Mass storage devices 1240 may include flash and other nonvolatilesolid-state storage or solid-state drive (SSD), such as a flash drive,flash memory, or USB flash drive. Other examples of mass storage includemass disk drives, floppy disks, magnetic disks, optical disks,magneto-optical disks, fixed disks, hard disks, SD cards, CD-ROMs,recordable CDs, DVDs, recordable DVDs (e.g DVD-R, DVD+R, DVD-RW, DVD+RW,HD-DVD, or Blu-ray Disc), battery-backed-up volatile memory, tapestorage, reader, and other similar media, and combinations of these.

Embodiments may also be used with computer systems having differentconfigurations, e.g., with additional or fewer subsystems. For example,a computer system could include more than one processor (i.e, amultiprocessor system, which may permit parallel processing ofinformation) or a system may include a cache memory. The computer systemshown in FIG. 12 is but an example of a computer system suitable for usewith the embodiments. Other configurations of subsystems suitable foruse with the embodiments will be readily apparent to one of ordinaryskill in the art. For example, in a specific implementation, thecomputing device is a mobile communications device such as a smartphoneor tablet computer. Some specific examples of smartphones include theDroid Incredible and Google Nexus One, provided by HTC Corporation, theiPhone or iPad, both provided by Apple, and many others. The computingdevice may be a laptop or a netbook. In another specific implementation,the computing device is a non-portable computing device such as adesktop computer or workstation.

A computer-implemented or computer-executable version of the programinstructions useful to practice the embodiments may be embodied using,stored on, or associated with computer-readable medium. Acomputer-readable medium may include any medium that participates inproviding instructions to one or more processors for execution, such asmemory 1225 or mass storage 1240. Such a medium may take many formsincluding, but not limited to, nonvolatile, volatile, transmission,non-printed, and printed media. Nonvolatile media includes, for example,flash memory, or optical or magnetic disks. Volatile media includesstatic or dynamic memory, such as cache memory or RAM. Transmissionmedia includes coaxial cables, copper wire, fiber optic lines, and wiresarranged in a bus. Transmission media can also take the form ofelectromagnetic, radio frequency, acoustic, or light waves, such asthose generated during radio wave and infrared data communications.

For example, a binary, machine-executable version, of the softwareuseful to practice the embodiments may be stored or reside in RAM orcache memory, or on mass storage device 1240. The source code of thissoftware may also be stored or reside on mass storage device 1240 (e.g.,flash drive, hard disk, magnetic disk, tape, or CD-ROM). As a furtherexample, code useful for practicing the embodiments may be transmittedvia wires, radio waves, or through a network such as the Internet. Inanother specific embodiment, a computer program product including avariety of software program code to implement features of the embodimentis provided.

Computer software products may be written in any of various suitableprogramming languages, such as C, C++, C#, Pascal, Fortran, Perl, Matlab(from MathWorks, www.mathworks.com), SAS, SPSS, JavaScript,CoffeeScript, Objective-C, Swift, Objective-J, Ruby, Python, Erlang,Lisp, Scala, Clojure, and Java. The computer software product may be anindependent application with data input and data display modules.Alternatively, the computer software products may be classes that may beinstantiated as distributed objects. The computer software products mayalso be component software such as Java Beans (from Oracle) orEnterprise Java Beans (EJB from Oracle).

An operating system for the system may be the Android operating system,iPhone OS (i.e., iOS), Symbian, BlackBerry OS, Palm web OS, Bada, MeeGo,Maemo, Limo, or Brew OS. Other examples of operating systems include oneof the Microsoft Windows family of operating systems (e.g., Windows 95,98, Me, Windows NT, Windows 2000, Windows XP, Windows XP x64 Edition,Windows Vista, Windows 10 or other Windows versions, Windows CE, WindowsMobile, Windows Phone, Windows 10 Mobile), Linux, HP-UX, UNIX, Sun OS,Solaris, Mac OS X, Alpha OS, AIX, IRIX32, or IRIX64, or any of variousoperating systems used for Internet of Things (IoT) devices orautomotive or other vehicles or Real Time Operating Systems (RTOS), suchas the RIOT OS, Windows 10 for IoT, WindRiver VxWorks, Google Brillo,ARM Mbed OS, Embedded Apple iOS and OS X, the Nucleus RTOS, Green HillsIntegrity, or Contiki, or any of various Programmable Logic Controller(PLC) or Programmable Automation Controller (PAC) operating systems suchas Microware OS-9, VxWorks, QNX Neutrino, FreeRTOS, Micrium μC/OS-II,Micrium μC/OS-III, Windows CE, TI-RTOS, RTEMS. Other operating systemsmay be used.

Furthermore, the computer may be connected to a network and mayinterface to other computers using this network. The network may be anintranet, internet, or the Internet, among others. The network may be awired network (e.g., using copper), telephone network, packet network,an optical network (e.g., using optical fiber), or a wireless network,or any combination of these. For example, data and other information maybe passed between the computer and components (or steps) of a systemuseful in practicing the embodiments using a wireless network employinga protocol such as Wi-Fi (IEEE standards 802.11, 802.11a, 802.11b,802.11e, 802.11g, 802.11i, and 802.11n, just to name a few examples), orother protocols, such as BLUETOOTH or NFC or 802.15 or cellular, orcommunication protocols may include TCP/IP, UDP, HTTP protocols,wireless application protocol (WAP), BLUETOOTH, Zigbee, 802.11, 802.15,6LoWPAN, LiFi, Google Weave, NFC, GSM, CDMA, other cellular datacommunication protocols, wireless telephony protocols or the like. Forexample, signals from a computer may be transferred, at least in part,wirelessly to components or other computers.

In an embodiment, a method for classifying a full uniform resourcelocator (URL) comprises: receiving, by a first security componentexecuting on a first server, a query from a client device, the queryincluding a full URL and a request for classification data associatedwith the full URL, the full URL having been obtained, by a secondsecurity component embedded in an operating system or a browserexecuting on the client device, in advance of the browser accessing theURL; modifying, by the first security component, the query by removingfrom the query identification of the client device and adding a queryidentifier; associating, by the first security component, the queryidentifier with the client device in a query database; sending, by thefirst security component, the modified query to an assessment componentexecuting on a second server; receiving, by the first security componentfrom the assessment component, a response including the query identifierand classification data associated with the full URL, the assessmentcomponent having: accessed a classification data database; compared thefull URL to classification data stored in the database; retrieved anyassociated classification data; and included the retrieved associatedclassification data and the query identifier in the response;retrieving, by the first security component, the identity of the clientdevice from the query database; and sending, by the first securitycomponent, the retrieved classification data to the second securitycomponent, the second security component evaluating the classificationdata to determine whether to allow the browser to access the URL.

In an embodiment, a method for classifying a full uniform resourcelocator (URL) comprises: receiving, by a first security componentexecuting on a first server, a query from a client device, the queryincluding an encrypted full URL, an encrypted client public key, and arequest for classification data associated with the full URL, the fullURL having been obtained, by a second security component embedded in anoperating system or a browser executing on the client device, in advanceof the browser accessing the URL; modifying, by the first securitycomponent, the query by removing from the query identification of theclient device and adding a query identifier; associating, by the firstsecurity component, the query identifier with the client device in aquery database; sending, by the first security component, the modifiedquery to an assessment component executing on a second server, theassessment component: decrypting the encrypted full URL and theencrypted client public key; accessing a classification data database;comparing the decrypted full URL to classification data stored in thedatabase; retrieving d any associated classification data; including theretrieved associated classification data and the query identifier in aresponse; receiving, by the first security component from the assessmentcomponent, the response; retrieving, by the first security componentusing the query identifier in the response, the identity of the clientdevice from the query database; and sending, by the first securitycomponent, the retrieved classification data to the second securitycomponent, the second security component evaluating the classificationdata to determine whether to allow the browser to access the URL.

While the embodiments have been described with regards to particularembodiments, it is recognized that additional variations may be devisedwithout departing from the inventive concept.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the claimedsubject matter. As used herein, the term “and/or” includes any and allcombinations of one or more of the associated listed items. As usedherein, the singular forms “a,” “an,” and “the” are intended to includethe plural forms as well as the singular forms, unless the contextclearly indicates otherwise. It will further be understood that theterms “comprises” and/or “comprising,” when used in this specification,specify the presence of states features, steps, operations, elements,and/or components, but do not preclude the present or addition of one ormore other features, steps, operations, elements, components, and/orgroups thereof.

Unless otherwise defined, all terms (including technical and scientificterms) used herein have the same meaning as commonly understood by onehaving ordinary skill in the art to which the embodiments belong. Itwill further be understood that terms, such as those defined in commonlyused dictionaries, should be interpreted as having a meaning that isconsistent with their meaning in the context of the relevant art and thepresent disclosure and will not be interpreted in an idealized or overlyformal sense unless expressly so defined herein.

In describing the embodiments, it will be understood that a number ofelements, techniques, and steps are disclosed. Each of these hasindividual benefit and each can also be used in conjunction with one ormore, or in some cases all, of the other disclosed elements, ortechniques. The specification and claims should be read with theunderstanding that such combinations are entirely within the scope ofthe embodiments and the claimed subject matter.

In the description above and throughout, numerous specific details areset forth in order to provide a thorough understanding of an embodimentof this disclosure. It will be evident, however, to one of ordinaryskill in the art, that an embodiment may be practiced without thesespecific details. In other instances, well-known structures and devicesare shown in block diagram form to facilitate explanation. Thedescription of the preferred embodiments is not intended to limit thescope of the claims appended hereto. Further, in the methods disclosedherein, various steps are disclosed illustrating some of the functionsof an embodiment. These steps are merely examples and are not meant tobe limiting in any way. Other steps and functions may be contemplatedwithout departing from this disclosure or the scope of an embodiment.

What is claimed is:
 1. A method for classifying a full uniform resourcelocator (URL) comprising: receiving, by a first security componentexecuting on a first server, a query from a client device, the queryincluding a full URL and a request for classification data associatedwith the full URL, the full URL having been obtained, by a secondsecurity component embedded in an operating system or a browserexecuting on the client device, in advance of the browser accessing theURL; modifying, by the first security component, the query by removingfrom the query identification of the client device and adding a queryidentifier; associating, by the first security component, the queryidentifier with the client device in a query database; sending, by thefirst security component, the modified query to an assessment componentexecuting on a second server; receiving, by the first security componentfrom the assessment component, a response including the query identifierand classification data associated with the full URL, the assessmentcomponent having: accessed a classification data database; compared thefull URL to classification data stored in the database; retrieved anyassociated classification data; and included the retrieved associatedclassification data and the query identifier in the response;retrieving, by the first security component, the identity of the clientdevice from the query database; and evaluating the retrievedclassification data to determine whether to allow the browser to accessthe URL.
 2. The method of claim 1, wherein the evaluating theclassification data to determine whether to allow the browser to accessthe URL, includes: sending, by the first security component, theretrieved classification data to the second security component, thesecond security component evaluating the classification data todetermine whether to allow the browser to access the URL.
 3. The methodof claim 1, wherein the evaluating the classification data to determinewhether to allow the browser to access the URL, includes: the firstsecurity component evaluating the classification data to determinewhether to allow the browser to access the URL, the method furtherincluding: sending, by the first security component to the secondsecurity component, an assessment or command regarding whether to allowthe browser to access the URL.
 4. The method of claim 1, wherein theevaluating the classification data to determine whether to allow thebrowser to access the URL, includes: the first security componentevaluating the classification data to determine whether to allow thebrowser to access the URL, the method further including: when theevaluation of the classification data results in a determinationregarding whether to allow the browser to access the URL, sending, bythe first security component to the second security component, anassessment or command regarding whether to allow the browser to accessthe URL, or when the evaluation of the classification data does notresult in a determination regarding whether to allow the browser toaccess the URL, sending, by the first security component, the retrievedclassification data to the second security component, the secondsecurity component evaluating the classification data to determinewhether to allow the browser to access the URL.
 5. The method of claim1, wherein: the full URL is an encrypted full URL; the assessmentcomponent having compared the full URL to classification data stored inthe database includes the assessment component having decrypted theencrypted full URL and having compared the decrypted full URL toclassification data stored in the database; and the retrieving, by thefirst security component, the identity of the client device from thequery database includes retrieving, by the first security componentusing the query identifier in the response, the identity of the clientdevice from the query database.
 6. The method of claim 5, wherein: thequery further includes an encrypted client public key; the assessmentcomponent having included the retrieved associated classification dataand the query identifier in the response includes the assessmentcomponent having: decrypted the encrypted client public key; encryptedthe retrieved associated classification data using the client publickey; and included the encrypted retrieved associated classification datain the response.
 7. The method of claim 6, wherein the evaluating theretrieved classification data to determine whether to allow the browserto access the URL, includes: sending, by the first security component,the encrypted retrieved associated classification data to the secondsecurity component, the second security component decrypting theencrypted retrieved associated classification data and evaluating thedecrypted classification data to determine whether to allow the browserto access the URL.
 8. A system for classifying a full uniform resourcelocator (URL) comprising: a first server including at least oneprocessor and memory storing first instructions; a second serverincluding at least one processor and memory storing second instructionsand a client device including at least one processor and memory storingthird instructions, the first, second, and third instructions configuredto cause the first server, the second server, or the client device,respectively, to: receive, by a first security component executing onthe first server according to the first instructions, a query from theclient device, the query including a full URL and a request forclassification data associated with the full URL, the full URL havingbeen obtained, by a second security component embedded in an operatingsystem or a browser executing on the client device according to thethird instructions, in advance of the browser accessing the URL; modify,by the first security component, the query by removing from the queryidentification of the client device and adding a query identifier;associate, by the first security component, the query identifier withthe client device in a query database; send, by the first securitycomponent, the modified query to an assessment component executing onthe second server according to the second instructions; receive, by thefirst security component from the assessment component, a responseincluding the query identifier and classification data associated withthe full URL, the assessment component having: accessed a classificationdata database; compared the full URL to classification data stored inthe database; retrieved any associated classification data; and includedthe retrieved associated classification data and the query identifier inthe response; retrieve, by the first security component, the identity ofthe client device from the query database; and evaluate, by the firstsecurity component or the second security component, the retrievedclassification data to determine whether to allow the browser to accessthe URL.
 9. The system of claim 8, wherein the evaluate, by the firstsecurity component or the second security component, the retrievedclassification data to determine whether to allow the browser to accessthe URL, includes: sending, by the first security component, theretrieved classification data to the second security component, thesecond security component evaluating the classification data todetermine whether to allow the browser to access the URL.
 10. The systemof claim 8, wherein the evaluate, by the first security component or thesecond security component, the retrieved classification data todetermine whether to allow the browser to access the URL, includes: thefirst security component evaluating the classification data to determinewhether to allow the browser to access the URL, the method furtherincluding: sending, by the first security component to the secondsecurity component, an assessment or command regarding whether to allowthe browser to access the URL.
 11. The system of claim 8, wherein theevaluate, by the first security component or the second securitycomponent, the retrieved classification data to determine whether toallow the browser to access the URL includes: the first securitycomponent evaluating the classification data to determine whether toallow the browser to access the URL, the method further including: whenthe evaluation of the classification data results in a determinationregarding whether to allow the browser to access the URL, sending, bythe first security component to the second security component, anassessment or command regarding whether to allow the browser to accessthe URL, or when the evaluation of the classification data does notresult in a determination regarding whether to allow the browser toaccess the URL, sending, by the first security component, the retrievedclassification data to the second security component, the secondsecurity component evaluating the classification data to determinewhether to allow the browser to access the URL.
 12. The system of claim8, wherein: the full URL is an encrypted full URL; the assessmentcomponent having compared the full URL to classification data stored inthe database includes the assessment component having decrypted theencrypted URL and having compared the decrypted full URL toclassification data stored in the database; and the retrieving, by thefirst security component, the identity of the client device from thequery database includes retrieving, by the first security componentusing the query identifier in the response, the identity of the clientdevice from the query database.
 13. The system of claim 12, wherein: thequery further includes an encrypted client public key; the assessmentcomponent having included the retrieved associated classification dataand the query identifier in the response includes the assessmentcomponent having: decrypted the encrypted client public key; encryptedthe retrieved associated classification data using the client publickey; and included the encrypted retrieved associated classification datain the response.
 14. The system of claim 13, wherein the evaluating theretrieved classification data to determine whether to allow the browserto access the URL, includes: sending, by the first security component,the encrypted retrieved associated classification data to the secondsecurity component, the second security component decrypting theencrypted retrieved associated classification data and evaluating thedecrypted classification data to determine whether to allow the browserto access the URL.
 15. A non-transitory storage medium storingcomputer-readable instructions, which when executed, cause a firstsecurity component executing on a first server to: receive a query froma client device, the query including a full URL and a request forclassification data associated with the full URL, the full URL havingbeen obtained, by a second security component embedded in an operatingsystem or a browser executing on the client device, in advance of thebrowser accessing the URL; modify the query by removing from the queryidentification of the client device and adding a query identifier;associate the query identifier with the client device in a querydatabase; send the modified query to an assessment component executingon the second server according to the second instructions; receive, fromthe assessment component, a response including the query identifier andclassification data associated with the full URL, the assessmentcomponent having: accessed a classification data database; compared thefull URL to classification data stored in the database; retrieved anyassociated classification data; and included the retrieved associatedclassification data and the query identifier in the response; retrievethe identity of the client device from the query database; and one ormore from the following: evaluate the retrieved classification data todetermine whether to allow the browser to access the URL, or send theretrieved classification data to the second security component.
 16. Thestorage medium of claim 15, the instructions further causing the firstsecurity component to: send, to the second security component, anassessment or command regarding whether to allow the browser to accessthe URL.
 17. The storage medium of claim 15, wherein the one or morefrom the following: evaluate the retrieved classification data todetermine whether to allow the browser to access the URL, or send theretrieved classification data to the second security component,includes: evaluate the retrieved classification data to determinewhether to allow the browser to access the URL, and the instructionsfurther causing the first security component to: when the evaluation ofthe retrieved classification data results in a determination regardingwhether to allow the browser to access the URL, send, to the secondsecurity component, an assessment or command regarding whether to allowthe browser to access the URL, or when the evaluation of the retrievedclassification data does not result in a determination regarding whetherto allow the browser to access the URL, send the retrievedclassification data to the second security component for the secondsecurity component to evaluate to determine whether to allow the browserto access the URL.
 18. The storage medium of claim 15, wherein: the fullURL is an encrypted full URL; the assessment component having comparedthe full URL to classification data stored in the database includes theassessment component having decrypted the encrypted full URL and havingcompared the decrypted full URL to classification data stored in thedatabase; and the retrieve the identity of the client device from thequery database includes retrieving, by the first security componentusing the query identifier in the response, the identity of the clientdevice from the query database.
 19. The storage medium of claim 18,wherein: the query further includes an encrypted client public key; theassessment component having included the retrieved associatedclassification data and the query identifier in the response includesthe assessment component having: decrypted the encrypted client publickey; encrypted the retrieved associated classification data using theclient public key; and included the encrypted retrieved associatedclassification data in the response.
 20. The storage medium of claim 19,wherein the evaluate the retrieved classification data to determinewhether to allow the browser to access the URL includes: sending theencrypted retrieved associated classification data to the secondsecurity component for the second security component to decrypt theencrypted retrieved associated classification data and evaluate thedecrypted classification data to determine whether to allow the browserto access the URL.